From e55af04e65967158fe9e5294c9dccec63a1f3b84 Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Mon, 17 Jul 2023 11:23:57 -0700 Subject: [PATCH] bt: audio: shell: Fix possible buffer overflow Check the size of the search argument in cmd_media_set_search before copying it. Signed-off-by: Flavio Ceolin --- subsys/bluetooth/audio/shell/media_controller.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/subsys/bluetooth/audio/shell/media_controller.c b/subsys/bluetooth/audio/shell/media_controller.c index fb239df02dc21a..25acc028a9ef2e 100644 --- a/subsys/bluetooth/audio/shell/media_controller.c +++ b/subsys/bluetooth/audio/shell/media_controller.c @@ -1230,9 +1230,16 @@ static int cmd_media_set_search(const struct shell *sh, size_t argc, char *argv[ */ struct mpl_search search; + size_t len; int err; - search.len = strlen(argv[1]); + len = strlen(argv[1]); + if (len > sizeof(search.search)) { + shell_print(sh, "Fail: Invalid argument"); + return -EINVAL; + } + + search.len = len; memcpy(search.search, argv[1], search.len); LOG_DBG("Search string: %s", argv[1]);